Methods and systems for providing subsidized access to network content by way of a secure connection

1. A method comprising: detecting, by a subsidized access management system, an establishment of a communication session between an access device and a content provider system by way of a secure connection within a network; receiving, by a network packet processor included in the subsidized access management system, a data call from the access device and that includes a universal resource identifier (“URI”) of network content associated with a secure link included in a webpage and code representative of a snippet identifier that identifies a subsidized access arrangement between a content provider and a network service provider; determining, by the network packet processor included in the subsidized access management system based on the URI, that a data usage charge for access by the access device to the network content by way of the secure connection within the network is subsidized by the content provider in accordance with the subsidized access arrangement between the content provider and the network service provider; tracking, by the network packet processor included in the subsidized access management system in response to the receiving of the data call, an amount of data transmitted between the access device and the content provider system during the communication session; forwarding, by the network packet processor included in the subsidized access management system, the data call to the content provider system; receiving, by a server-side plugin gateway (“SSP gateway”) included in the subsidized access management system from a server-side plugin residing on the content provider system, a message identifying the URI associated with the network content and a start time that indicates a time during the communication session at which the access device starts accessing the network content by way of the secure connection; transmitting, by the SSP gateway included in the subsidized access management system, the message to a timing record manager included in the subsidized access management system; writing, by the timing record manager included in the subsidized access management system based on the message, a data usage record for the access device to a usage record database; transmitting, by the network packet processor included in the subsidized access management system to an accounting server included in the subsidized access management system, tracking data representative of the amount of the tracked amount of data transmitted between the access device and the content provider system during the communication session; and determining, by the accounting server included in the subsidized access management system based on the tracking data, the data usage record, and the start time, an amount of data included in the tracked amount of data that is to be subsidized by the content provider.

2. The method of claim 1 , further comprising: receiving, by the subsidized access management system from the content provider system prior to a user of the access device selecting the secure link, data representative of an original URI for the network content, the data being transmitted by the content provider system to the subsidized access management system in response to the access device loading the webpage that includes an original link associated with the original URI; determining, by the subsidized access management system in response to the receiving of the data representative of the original URI, that the user is eligible to receive subsidized access to the network content and that the content provider has enough quota to provide the user with the subsidized access to the network content; creating, by the subsidized access management system in response to the determining that the user is eligible and that the content provider has enough quota, a modified URI that includes the original URI combined with data indicating that the user is eligible to receive the subsidized access to the network content for a predetermined amount of time; and directing, by the subsidized access management system, the content provider system to replace the original link within the webpage with a modified link associated with the modified URI, wherein the modified link is the secure link.

3. The method of claim 2 , wherein the establishment of the communication session is performed in response to the selection by the user of the secure link.

4. The method of claim 2 , wherein the original link is a secure link.

5. The method of claim 1 , wherein the determining that the data usage charge is subsidized by the content provider comprises: determining that the URI matches a URI included in a rule set.

6. The method of claim 1 , wherein the establishment of the communication session occurs prior to a request being provided by the access device to access the network content by way of the secure connection.

7. The method of claim 1 , wherein the establishment of the communication session occurs in response to a request being provided by the access device to access the network content by way of the secure connection.

8. The method of claim 1 , wherein the tracking of the amount of data comprises counting an amount of ingress and egress data transmitted between the access device and the content provider system during each of a plurality of time bins.

9. The method of claim 8 , wherein the time bins are each about 100 milliseconds.

10. The method of claim 1 , further comprising: receiving, by the subsidized access management system from the server-side plugin residing on the content provider system, data identifying an end time that indicates a time during the communication session at which the access device stops accessing the network content; and the determining of the amount of data that is to be subsidized by the content provider is further based on the end time.

11. The method of claim 10 , further comprising adjusting, by the subsidized access management system, at least one of the start time and the end time to account for a round trip time between the subsidized access management system and the content provider system.

12. The method of claim 1 , wherein the communication session comprises a Transmission Control Protocol (“TCP”) session.

13. The method of claim 1 , wherein the secure connection comprises a Transport Layer Security (“TLS”) or a Secure Sockets Layer (“SSL”) connection.

14. A subsidized access management system comprising: a network packet device comprising a network packet processor and a network packet memory storing executable instructions that, when executed by the network packet processor, cause the network packet processor to perform functions of: detecting an establishment of a communication session between an access device and a content provider system by way of a secure connection within a network, receiving a data call from the access device and that includes a universal resource identifier (“URI”) of network content associated with a secure link included in a webpage and code representative of a snippet identifier that identifies a subsidized access arrangement between a content provider and a network service provider, determining, based on the URI, that a data usage charge for access by the access device to the network content by way of the secure connection within the network is subsidized by the content provider in accordance with the subsidized access arrangement between the content provider and the network service provider, tracking, in response to the receiving of the data call, an amount of data transmitted between the access device and the content provider system during the communication session, and forwarding the data call to the content provider system; a server-side plugin gateway (“SSP gateway”) configured to receive, from a server-side plugin residing on the content provider system, a message identifying the URI associated with the network content and a start time that indicates a time during the communication session at which the access device starts accessing the network content by way of the secure connection, and transmit the message; a timing record manager configured to receive the message from the SSP gateway, and write, based on the message, a data usage record for the access device to a usage record database; and an accounting server communicatively coupled to the timing record manager and to the network packet device and comprising an accounting server memory and an accounting server processor, the accounting server memory storing executable instructions that, when executed by the accounting server processor, cause the accounting server processor to perform functions of: receiving, from the network packet device, tracking data representative of the amount of the tracked amount of data transmitted between the access device and the content provider system during the communication session, and determining, based on the tracking data, the data usage record, and the start time, an amount of data included in the tracked amount of data that is to be subsidized by the content provider.

15. The method of claim 1 , further comprising initializing, by the subsidized access management system in response to the establishment of the communication session, the server-side plugin residing on the content provider system, the initializing configured to synchronize a clock used by the content provider system and a clock used by the subsidized access management system.

16. The method of claim 15 , wherein the initializing of the server-side plugin residing on the content provider system comprises: receiving, at the SSP gateway included in the subsidized access management system and at a time T2, an authentication request transmitted by the server-side plugin at a time T1′, the authentication request including an identifier of the server-side plugin and data representative of the time T1′; forwarding, from the SSP gateway to an authentication server included in the subsidized access management system, the authentication request; authenticating, at the authentication server based on the identifier of the server-side plugin, the authentication request; transmitting, from the authentication server to the SSP gateway, an authentication response that includes an access token, the SSP gateway receiving the authentication response at a time T3; forwarding, from the SSP gateway to the content provider system, the authentication response, the forwarded authentication response including the access token and data representative of the times T2 and T3, the content provider system receiving the forwarded authentication response at a time T4; receiving, at the SSP gateway and at a time T6, a message transmitted by the server-side plugin at a time T5′, the message transmitted by the server-side plugin including data representative of a clock skew computed by the server-side plugin in accordance with the following equation: θ={(T2−T1′)+(T3−T4′)}/2, where θ is the clock skew; validating, at the SSP gateway with the authentication server, the message transmitted by the server-side plugin; forwarding, from the SSP gateway to the timing record manager, the message transmitted by the server-side plugin subsequent to the validating, the timing record manager receiving the forwarded message at a time T7; transmitting, from the timing record manager to the SSP gateway in response to the timing record manager receiving the forwarded message, an OK message to the SSP gateway, the SSP gateway receiving the OK message at a time T8; and forwarding, from the SSP gateway to the content provider system, the OK message together with data representative of times T6 and T8, wherein the server-side plugin computes an updated clock skew, the updated clock skew configured to be used to transmit the start time to the subsidized access management system.

17. The subsidized access management system of claim 14 , further comprising an authentication server communicatively coupled to the SSP gateway and comprising an authentication server memory and an authentication server processor, wherein: the SSP gateway is further configured to receive, at a time T2, an authentication request transmitted by the server-side plugin at a time T1′, the authentication request including an identifier of the server-side plugin and data representative of the time T1′, and forward, to the authentication server, the authentication request; the authentication server memory stores executable instructions that, when executed by the authentication server processor, cause the authentication server processor to perform functions of: authenticating, based on the identifier of the server-side plugin, the authentication request, and transmitting, to the SSP gateway, an authentication response that includes an access token, the SSP gateway receiving the authentication response at a time T3; the SSP gateway is further configured to forward, to the content provider system, the authentication response, the forwarded authentication response including the access token and data representative of the times T2 and T3, the content provider system receiving the forwarded authentication response at a time T4, receive, at a time T6, a message transmitted by the server-side plugin at a time T5′, the message including data representative of a clock skew computed by the server-side plugin in accordance with the following equation: θ={(T2−T1′)+(T3−T4′)}/2, where θ is the clock skew, validate the message transmitted by the server-side plugin with the authentication server, and forward, to the timing record manager, the message subsequent to the validating, the timing record manager receiving the forwarded message at a time T7; the timing record manager is further configured to transmit to the SSP gateway in response to the timing record manager receiving the forwarded message, an OK message to the SSP gateway, the SSP gateway receiving the OK message at a time T8; and the SSP gateway is further configured to forward, to the content provider system, the OK message together with data representative of times T6 and T8, wherein the server-side plugin computes an updated clock skew, the updated clock skew configured to be used to transmit the start time to the subsidized access management system.